Ten-million-yuan-level fines warn commercial banks of personal information protection legal risks and countermeasures

Abstract: The protection of personal information in commercial banks has long attracted the attention of the society. The promulgation of the "Personal Information Protection Law" has put forward higher management and service requirements for commercial banks that hold a large amount of customer personal information. The regulatory authorities frequently issued large fines to commercial banks , affirming the strength and determination of strict supervision. As personal information processors, commercial banks currently have imperfect systems, and under the current situation that "informed-consent" has not been fully implemented, establishing a personal information data asset database, improving system management, and implementing self-certification and compliance will play a significant role in preventing personal information laws and regulations. Risk matters.

【Key words】：personal information protection, commercial bank, informed -consent, data asset database, self-certification compliance

In January 2022, the Shanghai Branch of the People's Bank of China and the Hangzhou Central Sub-branch of the People's Bank of China issued fines of 16.74 million yuan and 22.365 million yuan respectively ( see Table - 1 for details) . The types of behavior include: violation of credit information collection, provision, inquiry, and failure to perform suspicious transaction reporting obligations in accordance with regulations . From the perspective of the industry, these types of penalties are closely related to personal information protection, anti-money laundering and data governance. Based on this, this paper sorts out the development process of personal information protection , the current situation of personal information protection of commercial banks and legal risks, and puts forward countermeasures for commercial banks to protect personal information.

Table -1 Administrative Punishment Information Publicity Form

1. The development process of personal information protection in Europe and China

In the field of personal information protection, the EU has always been in a leading position compared with other regions and countries 1 . On January 28, 1981 , in the context of the increasingly frequent cross-border flow of automatic processing of personal data, the member states of the Council of Europe signed Treaty No. 108 in Strasbourg , the "Convention on the Protection of Individuals Concerning the Automatic Processing of Personal Data". It is the first legally binding international document on data protection in the world. In 1995, the European Union issued the Directive on the Protection of Individuals Involving the Processing of Personal Data and the Free Movement of Such Data. In 2018, the Council of the European Union passed the General Data Protection Regulation (GDPR), which is the most important change in data privacy regulations in the past 20 years. Strict regulations, lawmakers are trying to meet the EU's principles of data privacy and algorithmic fairness , and propose a valid consent standard before information processing2 , and penalties for violations will reach 20 million euros or annual global turnover4 % (whichever is higher). Scope of application of the GDPRIt is not limited to companies headquartered in the EU, but covers all organizations that collect data from EU citizens, and the regions and countries that have trade relations with the EU will be more or less affected by it.

Before the promulgation of the "Personal Information Protection Law of the People's Republic of China" (hereinafter referred to as the "Personal Information Protection Law"), laws and regulations on the protection of personal information by commercial banks had a relatively complete history of development . In 1992, the State Council promulgated the "Regulations on the Administration of Savings", stipulating that "savings institutions have the responsibility to keep depositors confidential in handling savings business" , and put forward the responsibility of confidentiality to commercial banks. In 1995, the Standing Committee of the National People's Congress promulgated the "Commercial Bank Law of the People's Republic of China", which stipulates at the legal level that "commercial banks shall be responsible for the confidentiality of depositors when handling personal savings deposits." The promulgation of the "Interim Measures for the Management of Personal Credit Information Basic Database" in 2005 regulated the collection , processing , retention , query, objection handling, user management, and security management of personal credit data , requiring commercial banks to Put the right to know in the first place , and began to establish the obligation of "telling" of commercial banks . Both the 2009 "Criminal Law Amendment (VII)" and the 2015 "Criminal Law Amendment (IX)" clearly stated that infringing on citizens' personal information would constitute a criminal offense, and increased punishment from the perspective of criminal responsibility. People's Bank of China atIn 2011 and 2012, the "Notice on the Protection of Personal Financial Information by Banking Financial Institutions" (Yinfa [2011] No. 17) and the "Notice on Further Improving the Protection of Customers' Personal Financial Information by Financial Institutions" ( Yinfa [2012] No. 80). And later the "Resident ID Card Law", "Decision on Strengthening Network Information Protection", "Guidelines for the Protection of Banking Consumer Rights and Interests", "Implementation Measures of the People's Bank of China for the Protection of Financial Consumer Rights and Interests", "Network Security Law", "Banking Financial Institutions" The Guidelines on Data Governance and others play a guiding and supervising role in the protection of personal information by commercial banks. On January 1, 2021, the "Civil Code of the People's Republic of China" came into effect, clarifying the principles and positions for the protection of personal privacy, personal information and personal data. In the 30- year historical development of personal information protection , commercial banks have formulated systems, management methods and implementation rules in accordance with various policies, laws and regulations. (See Figure -3 for details)

Figure -3 The development process of laws and regulations on personal information protection in China

2. The current situation and risk warning of personal information protection in commercial banks

(1) System management is extensive , and grassroots branches frequently violate regulations

Since the promulgation of the "Regulations on the Administration of Savings" in 1992, with the successive promulgation of subsequent laws and regulations, most banks have issued a series of rules and regulations or operational guidelines at the head office level to make personal information inquiries, verifications, changes, and storage. According to the requirements, hard management and control on the system have been set up for the processing of personal information by each position in the industry.

After the promulgation of the "Personal Information Protection Law", under the provisions of laws and regulations such as the "Anti-Money Laundering Law of the People's Republic of China", "Regulations on the Real-Name System of Personal Deposit Accounts", and "Administrative Measures for Financial Institutions' Customer Identification and Customer Identity Data and Transaction Record Storage", Incidents of commercial banks triggering violations of personal information processing occurred frequently. According to the "White Paper on Research on Criminal Issues of Employees of Financial Institutions in China ( 2021)" , because employees of the head office and provincial branches do not directly face customers, illegal use of customer information rarely occurs. In the process of verifying and collecting information, due to lack of refinement of the management system or operating guidelines or insufficient management training, personal information protection has not been implemented in actual business operations, resulting in unintentional violations of regulations for querying customers' personal information and being or It is not uncommon for non-work reasons to inquire in violation of laws and regulations, easily obtain personal information of customers, or even leak and resell personal information of customers, and collusion with outsiders to make profits . Due to the management system, operating guidelines and system settings not in place or not updated in time, there is an opportunity for illegal inquiry, collection and disclosure of customer personal information.

Table- 2 Year-to-Year Comparison of the Position Distribution of Employees in the Financial Institutions Involved 

(2) Third-party platform for information sharing, risk of breaking away from bank control

Commercial banks have generally introduced third-party cooperation platforms in mobile banking, online banking, and WeChat applets, and guide customers to register and authorize third-party platform inquiries without the customer's explicit "knowledge" or customer "consent" Phenomena such as customer information are ubiquitous. On the premise of the commercial bank's credit endorsement, the customer enters the third-party platform through the commercial bank's official website, APP , WeChat applet and other interfaces. When customers register user information on third-party platforms and authorize third-party platforms to view personal information, they lower their guards. Later, due to losses caused by the disclosure of customer personal information by third-party platforms, the phenomenon of looking for commercial banks to "pay" frequently occurs . Or commercial banks actively share customer personal information with third-party platforms due to business development needs. The third-party platform obtains information, and the information begins to escape the bank's monitoring. This will undoubtedly increase the risk of customer information leakage.

(3) Legal responsibility for personal information protection

1. Civil Liability and Administrative Liability

The "Personal Information Protection Law" clarifies the civil and administrative responsibilities for violations of laws and regulations4 . When assuming civil liability, the principle of presumption of fault is implemented for commercial banks, which increases the responsibility of commercial banks to self-certify compliance and legality. The Personal Information Protection Law also empowers people's procuratorates, consumer organizations specified by law, and organizations determined by the national cyberspace administration to file lawsuits for violations of the law . The law grants the right to public interest litigation for infringement of personal information, which will inevitably increase the reputation risk and public opinion risk of commercial banks. When assuming administrative responsibility, according to the degree of violation, the law enforcement department shall be responsible for corrections, give warnings, and confiscate illegal gains and other punishment measures for minor cases; to serious cases, departments performing personal information protection duties at or above the provincial level shall order corrections and confiscate illegal gains , and impose a fine of less than 50 million yuan or less than 5% of the previous year's turnover, and may order the suspension of relevant business or suspend business for rectification, and notify the relevant competent department to revoke relevant business permits or revoke business licenses and other regulations of varying degrees of punishment. In terms of heavy penalties for violations, the "Personal Information Protection Law" refers to the practice of the EU's GDPR, which greatly increases the cost of commercial banks' violations and violations of personal information protection. The tens of millions of fines frequently issued by the regulatory authorities at the beginning of this year have confirmed the severity of punishment and the determination to strictly control with practical actions.

2. Criminal responsibility

Article 253-1 of the "Criminal Law of the People's Republic of China ( 2020 Amendment)" specifies the penalty for the crime of violating citizens' personal information. On May 8, 2017, the Supreme People's Court and the Supreme People's Procuratorate issued the "Interpretation of the Supreme People's Court on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringement of Citizens' Personal Information ". ” made an explanation, including laws, administrative regulations and departmental rules. The "Personal Information Protection Law" is one of the legal provisions that commercial banks and their employees may be held criminally responsible for violations of personal information protection. According to the analysis and research of the "White Paper on the Research on Crimes of Employees of Financial Institutions in China" ( 2021 ), joint crimes account for a high proportion of crimes committed by employees of financial institutions. From insurance fraud to crimes of infringing upon citizens’ personal information. The number of criminal cases of crimes against citizens' personal information has increased from 7 in 2020 to 8 in 2021 . Based on this, it can be seen that criminal responsibility has been clearly stipulated at the legislative level, and the crime of infringing on citizens' personal information is now repeatedly prohibited.

3. Commercial Banks’ Personal Information Protection and Precautionary Measures

On November 1, 2021, the "Personal Information Protection Law" was officially implemented. It is my country's first legislation on personal information protection. It is the basic law in the field of personal information and has established a complete framework for personal information protection. The "Personal Information Protection Law" clearly defines that personal information is all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information; The "minimal way" that affects rights and interests, the "minimum scope" of collecting information should be limited to the realization of the purpose of processing, and the "three most" principles that the storage period should be the shortest time necessary to achieve the purpose of processing; comprehensively strengthen the processing of personal information to make customers "informed". "Responsibilities, and to obtain the customer's "consent", the processing of sensitive information requires a separate "consent" processing regulations. To this end, commercial banks are advised to take the following information precautions:

(1) Establish a personal information data asset database and do a good job of "hard" system protection

A data asset management department is set up at the head office level to sort out, count, and clean up existing personal information data assets . Take corresponding measures in accordance with the "Personal Information Protection Law", "Technical Specifications for Personal Financial Information Protection", "Interim Measures for the Management of Personal Credit Information Basic Database" and other regulations: First, classify and manage data according to the degree of sensitivity of the data, from high to low The low level is divided into three levels : C3, C2, and C1, and processing authority is set for each data query , modification , deletion , etc.; the second is to implement the risk monitoring and early warning report of data processing to prevent unauthorized access and avoid grass-roots branches Due to the "soft" system, such as imperfect systems or inadequate training, misoperation and mishandling of data cause personal information leakage, tampering, and loss, and strengthen the protection of customers' personal information from the "hard" system; the third is during the data processing process . Take security technical measures such as anonymization and de-standardization .

(2) Refining the personal information data protection system, covering the entire life cycle of data

The life cycle of personal financial information includes the entire process of collection, transmission, storage, use, deletion, and destruction of personal financial information . Commercial banks, as personal information processors, specify the responsible institutions for personal information protection within the bank, formulate rules and regulations and operational guidelines for information protection, and integrate with the system to manage personal information data processing by category, level, and throughout the cycle. On the basis of establishing a system, strengthen the professional ethics training of commercial bank employees. Risks always come from people, so that employees are in awe of supervision and law, and promote the compliance and legal processing of personal information. The personal information protection system and operational guidelines are implemented in business operations.

(3) Self-certification compliance, "informed-consent" has traces to follow

"Informed-consent" is the core of the principle of personal customer information protection. Before collecting and processing personal customer information, commercial banks should fully obtain the customer’s consent and perform the obligation of notification : First, when commercial banks process personal information offline, they should be aware of the purpose of customer information processing in a prominent way and in clear and understandable language ; In the text of the client agreement, avoid using "openness" words, and should clearly express the purpose, method, scope, etc. of the client's processing, and keep the signed text of the informed and client's consent. Second, when commercial banks process customer information through APP, WeChat official account, website and other channels, they should avoid using a large amount of redundant information, and should also use clear and easy-to-understand text to inform customers; Rolling bottom type, timing type, etc. Third, according to the level of the data asset database, it is necessary to ensure the "separate consent" of the customer for sensitive information. The fourth is to process personal information online, and it is necessary to keep a log of the processed information in case there are traces to follow in the follow-up "self-certification and compliance".

Four. Conclusion

Commercial banks should take the initiative to meet the new opportunities and challenges brought by the "Personal Information Protection Law", actively do a good job in personal information security protection, establish a data asset database, ensure accurate service, professional and agile identification and protection of personal information data, and transfer the pressure to In order to help, while ensuring the rights and interests of personal information, realize commercial banks to upgrade to financial digitization.

bibliography:

1. Liu Enze. Supervision Effectiveness and Impact of EU General Data Protection Regulation. Banker, The Chinese Banker, 2022 (02): 136-139.

2. Yu Shengsheng. "How can banks protect personal data under the strict trend of domestic and foreign legal environments?" ". "China Banking Industry", 2020 (1): 90-93.

3. Yu Baocai. "Challenges and Countermeasures of Financial Technology Development to Commercial Banks' Personal Information Protection". Southern Finance 2020 (529): 78-90.

4. Han Xiaoying. "Legal Analysis and Suggestions on Personal Information Protection of Commercial Banks". Modern Finance Guide 2021 (04): 72-75.

5. The China Judicial Big Data Research Institute and other units compiled the "White Paper on Research on Criminal Issues of Employees of Financial Institutions in China (2021)" .

Author: Zhejiang Liqun Law Firm    Ye Ping 15067 668220       

Zhejiang Liqun Law Firm    Mao Yuyang 18358665058